Hardware wallet manufacturer Ledger will disable blind signing for EVM decentralized applications (dapps) by June 2024, following an exploit in which a wallet drainer was added to a library used by many developers to connect to its devices.
In a tweet, Ledger said that around $600,000 in crypto assets were stolen during the exploit. It announced that affected victims would be "made whole" and that it would "no longer allow Blind Signing with Ledger devices by June 2024.
Blind signing involves the display of raw smart contract signing data that can be parsed by computers but is incomprehensible to a human reader. Ledger has previously advocated for a "what you see is what you sign" approach known as clear signing, in which smart contract signing is parsed in a human-readable manner.
In its announcement, Ledger stated that its move to sunset blind signing would "lead to a new standard to protect users and encourage Clear Signing across DApps," and encouraged dapp developers to support clear signing.
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.
We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.
Ledger…
— Ledger (@Ledger) December 20, 2023
In last week's exploit, a malicious version of the Ledger Connect Kit, a library that enables Ledger devices to connect with dapps, was identified by developers on Twitter. Web3 security firm BlockAid reported that, "The attacker injected a wallet draining payload" into the ledgerconnect kit's NPM package," enabling them to drain the funds of users who signed on dapps including Sushi.com and Hey.xyz.
Software wallet developer MetaMask warned users to "stop using dapps" after news of the attack broke.
In a follow-up post, Ledger confirmed that the attack took place as a result of a former employee falling victim to a phishing attack. The attacker was able to gain access to the former employee's NPMJS account, a JavaScript package manager, enabling them to push a malicious version of the Ledger Connect Kit. The malicious Connect Kit then rerouted user funds from any wallet connecting to a dapp using it, to the hacker's own wallet.
Ledger stated that a fix was deployed within 40 minutes of the firm's security teams being alerted, and has pushed a new version of the Connect Kit (1.1.8). Ledger devices themselves, and the firm's Ledger Live app, were not compromised by the exploit, it added.
The firm has previously faced criticism over its security. In 2020 a Ledger customer email database was hacked, with over a million user emails compromised, while earlier this year Ledger's voluntary ID-based Recover service was dubbed a "backdoor" by users. Ledger's co-founder Éric Larchevêque described the rollout of the Recover service as, "a total PR failure, but absolutely not a technical one."
Edited by Stacy Elliott.